Hi,
Maybe a simple question, but im struggling with it.
I would like to make a new field with eval which consist of two previously made fields with contents out of two indexes.
Here is my search query. The new field Dagen does not appear as a new field.
Can someone tell what im doing wrong?
index=1 OR index=2
| dedup ID
| eval Archief=strptime(field1, "%Y-%m-%d %H:%M:%S.%N"), DatumWachtkamer=strptime(field2, "%Y-%m-%d %H:%M:%S.%N")
| eval Dagen=floor((Archief-DatumWachtkamer)/86400)
↧